CVE-2011-5007
published 2011-12-25CVE-2011-5007: Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.20%
99.4th percentile
Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3ssoftware | codesys | <= 3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts as oversized HTTP GET requests to port 8080/TCP where the URI length exceeds 775 bytes, targeting the CoDeSys CmpWebServer component. ↗
- →Fingerprint vulnerable CoDeSys web servers by checking HTTP response banners for the string '3S_WebServer'; presence indicates a potentially vulnerable instance. ↗
- →Monitor for outbound connections to port 4444/TCP from SCADA/PLC hosts following inbound HTTP traffic to port 8080, which is indicative of a successful reverse shell. ↗
- →Flag HTTP GET requests to port 8080/TCP containing bad characters \x00\x09\x0a\x3f\x20\x23\x5e in the URI path as potential exploit traffic against CoDeSys web server. ↗
- →For ABB AC500 PLCs, also monitor port 80/TCP for oversized URL requests, as the device may be configured to serve the vulnerable CoDeSys web server on port 80 instead of 8080. ↗
- ·The vulnerable CoDeSys web server component is NOT active in the default configuration; it must be explicitly enabled. Exposure only exists when the web server is turned on. ↗
- ·The exploit RET address (0x7E4456F7 / jmp esp in user32.dll) is specific to Windows XP SP3; different offsets or return addresses may be required for other OS versions. ↗
- ·The ABB AC500 PLC may serve the vulnerable web server on any arbitrary port, not just 8080; detection rules scoped only to port 8080 may miss attacks on reconfigured devices. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
3S CoDeSys Vulnerabilities
cisa_ics·2018-09-06·CVSS 10.0
[CRITICAL] 3S CoDeSys Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
3S CoDeSys Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-12-006-01
## Overview
This advisory is a follow-up to the alert update, ICS-ALERT-11-336-01A 3S CoDeSys Vulnerabilities, which was released on the ICS-CERT Web page on December 02, 2011.
Security researcher Celil Unuver (SignalSec LLC) and independent researcher Luigi Auriemma have identified vulnerabilities in the 3S Smart Software Solutions CoDeSys product, summarized in the following table. Mr. Auriemma publicly disclosed the five vulnerabilities along with proof-of-concept (PoC) exploit code, including
CISA ICS
ABB AC500 PLC Webserver CoDeSys Vulnerability
cisa_ics·2013-04-30
ABB AC500 PLC Webserver CoDeSys Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
ABB AC500 PLC Webserver CoDeSys Vulnerability
Last RevisedApril 30, 2013
Alert CodeICSA-12-320-01
## Overview
ICS-CERT has been notified of a buffer overflow vulnerability in the ABB AC500 PLC Webserver application. Successful exploitation of this vulnerability could lead to a denial of service (DoS), affecting the availability of the service. This vulnerability is related to ICS-CERT Advisory, ICSA-12-006-01--3S Smart Software Solutions CoDeSys Vulnerabilities as the ABB AC500 PLC uses the CoDeSys Webserver.
ABB has produced a patch for the AC500 PLC that mitigates this vulner
GHSA
GHSA-p96c-w9qf-8j98: Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3
ghsa_unreviewed·2022-05-17
CVE-2011-5007 [HIGH] CWE-119 GHSA-p96c-w9qf-8j98: Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3
Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080.
No detection rules found.
Exploit-DB
CoDeSys SCADA 2.3 - WebServer Stack Buffer Overflow (Metasploit)
exploitdb·2011-12-13
CVE-2011-5007 CoDeSys SCADA 2.3 - WebServer Stack Buffer Overflow (Metasploit)
CoDeSys SCADA 2.3 - WebServer Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow',
'Description' => %q{
This module exploits a remote stack buffer overflow vulnerability in
3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Celil UNUVER', # Original discovery and exploit
'TecR0c', # Module Metasploit
'sinn3r'
],
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/18187/' ],
[ 'U
Exploit-DB
CoDeSys SCADA 2.3 - Remote Buffer Overflow
exploitdb·2011-12-01
CVE-2011-5007 CoDeSys SCADA 2.3 - Remote Buffer Overflow
CoDeSys SCADA 2.3 - Remote Buffer Overflow
---
/*
See Also: http://aluigi.altervista.org/adv/codesys_1-adv.txt
CoDeSys v2.3 Industrial Control System Development Software
Remote Buffer Overflow Exploit for CoDeSys Scada webserver
Author : Celil UNUVER, SignalSEC Labs
www.signalsec.com
Tested on WinXP SP1 EN
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!
--snip--
root@bt:~# ./codesys 192.168.1.36
CoDeSys v2.3 webserver Remote Exploit
by SignalSEC Labs - www.signalsec.com
[+]Sending payload to SCADA system!
[+]Connecting to port 4444 to get shell!
192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.36] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\3S Software\CoDeSys V
Metasploit
SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow
metasploit
SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow
SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow
This module exploits a remote stack buffer overflow vulnerability in 3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and earlier.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/codesys_1-adv.txthttp://ics-cert.us-cert.gov/advisories/ICSA-12-320-01http://osvdb.org/77387http://seclists.org/bugtraq/2011/Nov/178http://secunia.com/advisories/47018http://www.exploit-db.com/exploits/18187http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdfhttp://aluigi.altervista.org/adv/codesys_1-adv.txthttp://ics-cert.us-cert.gov/advisories/ICSA-12-320-01http://osvdb.org/77387http://seclists.org/bugtraq/2011/Nov/178http://secunia.com/advisories/47018http://www.exploit-db.com/exploits/18187http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-336-01A.pdf
2011-12-25
Published